GCP SCIM Connector Features

Owned by Dev Raj Gautam
Last updated: Aug 19, 2024
39 min read

The GCP Connector by EmpowerID enables seamless synchronization of Identity data between EmpowerID and Google Cloud Platform (GCP). The connector provides the following capabilities at a high level:

  • Full and Incremental Inventory Support for

    • User Accounts, Service Accounts, and Guest Accounts

    • Groups

    • Group memberships for all account types

    • Group-to-Group memberships

  • Create, update, disable, and delete user accounts.

  • Enable disable and delete service accounts.

  • Create, update, and delete groups.

  • Provisioning accounts through EmpowerID Resource Entitlements.

  • Resetting passwords for user accounts.

  • Handling group membership additions and removals for all account types.

  • Assigning group memberships to accounts with management role (RBAC) assignment.

Supported Operations by GCP Microservice

The SCIM microservice for GCP (Google Cloud Platform) exposes several endpoints designed for identity management and data synchronization between GCP and the Connector. Below are the specific operations and their corresponding endpoints:

Name

Method

URL

Description

Name

Method

URL

Description

Query Projects

GET

/QueryProjects

Queries projects.

Query Users

Get

/QueryUsers

Queries Users

Query Predefined IAM Roles

GET

/QueryPredefinedIamRoles?count=100&skipToken={{skiptoken}}

Queries predefined IAM roles.

Query Project Custom IAM Roles

GET

/QueryProjectCustomIamRoles/{{projectId}}

Queries custom IAM roles for a specific project.

Query Organization Custom IAM Roles

GET

/QueryOrganizationCustomIamRoles

Queries custom IAM roles for an organization.

Query Resources

GET

/QueryOrganizationResources

Queries resources associated with an organization.

Query IAM Policies

GET

/QueryIAMPolicies

Queries IAM policies.

Query Organizations

GET

/QueryOrganizations

Queries all organizations.

Query Directory Roles

GET

/QueryRoles

Queries directory roles.

Query Privileges

GET

/QueryPrivileges

Queries privileges.

Query Organizational Units

GET

/v1/OrganizationalUnits

Queries organizational units.

Query Role Assignments

GET

/QueryRoleAssignments

Queries role assignments.

Query Role Assignments Delta

GET

/EIDExtension/ChangedRoleAssignmentsQuery

Queries role assignments that have changed since the specified start time.

Query Service Accounts

GET

/QueryOrganizationResources/{{organizationId}}

Retrieves service accounts associated with an organization.

Get Service Account by ID

GET

/QueryOrganizationResources/{{organizationId}}?filter=iam.googleapis.com/ServiceAccount&query={serviceaccountid}

Retrieves a specific service account by ID.

Create Service Account

POST

/v1/serviceaccounts/eidextension?accountId={{accountId}}

Creates a new service account.

Update Service Account

PATCH

/v1/serviceaccounts/eidextension/{{accountId}}

Updates an existing service account.

Delete Service Account

DELETE

/v1/serviceaccounts/eidextension/{{accountId}}

Deletes a service account.

Disable Service Account

GET

/v1/serviceaccounts/eidextension/disable/{{accountId}}

Disables a service account.

Enable Service Account

GET

/v1/serviceaccounts/eidextension/enable/{{accountId}}

Enables a service account.

Query Groups

GET

/v1/groups

Queries all groups.

Create Group

POST

/v1/groups

Creates a new group.

Get Group by ID

GET

/v1/groups/{{groupId}}

Retrieves a specific group by ID.

Update Group (patch)

POST

/v1/groups/{{groupId}}

Updates an existing group.

Delete Group

DELETE

/v1/groups/{{groupId}}

Deletes a group.

Query Groups Delta

GET

/v1/groups/EIDExtension/NewOrUpdated?startTime={{timestamp}}

Queries groups that have been created or updated since the specified start time.

Query Group Members

GET

/EIDExtension/MemberQuery/{{groupId}}

Queries members of a specific group.

Delete Group Member

DELETE

/EIDExtension/MemberQuery/{{groupId}}/{{memberId}}

Deletes a specific member from a group.

Create Group Member

POST

/EIDExtension/MemberQuery

Creates a new member in a group.

Update Group Member

POST

/EIDExtension/MemberQuery/{{groupId}}/{{memberId}}

Updates a specific member's details in a group.

Query Group Members Delta

GET

/EIDExtension/ChangedMemberQuery

Queries members of a group that have been created or updated since the specified start time.

Inventory

The GCP Connector provides two standard inventory processes in every EmpowerID connector:

  1. Incremental Inventory: This process monitors the LastTimeStamp of the previous inventory run and imports only user and group identity data changes since then.

  2. Full Inventory: This process conducts a complete inventory of all GCP users and groups each time the inventory job is executed.

Attribute Mappings

The GCP Connector by EmpowerID synchronizes Google Cloud Platform (GCP) and EmpowerID by mapping relevant attributes from GCP to EmpowerID object attributes. Below are the detailed mappings for user attributes, group attributes, and service account attributes between GCP and EmpowerID.

User Attributes

During the GCP and EmpowerID inventory process, user accounts from GCP are synced with EmpowerID. The following table outlines how GCP user attributes map to EmpowerID account attributes:

SCIM Microservice Attribute

EmpowerID Account Attribute

Description

SCIM Microservice Attribute

EmpowerID Account Attribute

Description

name['givenName']

FirstName

Maps to the user's first name.

name['familyName']

LastName

Maps to the user's last name.

['display name]

DisplayName

The user's full name formed by concatenating the first and last name values.

name['formatted']

CustomAttribute17

May contain the user's display name (optional).

active

Active

Indicates if the user account is active in GCP, meaning it is not suspended, archived, or deleted.

country

Country

Maps to the user's country. This attribute supports only one-way sync from GCP to EID or supports Account Store Changes Only for EmpowerID attribute flow.

photos[0]['value']

PhotoUrl

The URL of the user's profile photo. The URL might be temporary or private.

meta['created']

CreatedTimeStamp

User's G Suite account creation time.

preferredLanguage

PreferredLanguage

Maps to the user’s language if a user profile has a single language.

agreedToTerms

CustomAttribute2

This property is true if the user has completed an initial login and accepted the Terms of Service agreement.

changePasswordAtNextLogin

MustChangePasswordOnNextLogin

Indicates if the user is forced to change their password at next login. This setting doesn't apply when the user signs in via a third-party identity provider.

includeInGlobalAddressList

CustomAttribute3

Indicates if the user's profile is visible in the Google Workspace global address list when the contact sharing feature is enabled for the domain.

ipWhitelisted

CustomAttribute4

If true, the user's IP address is subject to a deprecated IP address allowlist configuration.

isAdmin

CustomAttribute5

Indicates a user with super admininistrator privileges.

isDelegatedAdmin

CustomAttribute6

Indicates if the user is a delegated administrator. Delegated administrators are supported by the API but cannot create or undelete users, or make users administrators.

isEnforcedIn2Sv

CustomAttribute7

Indicates whether two-step verification is enforced for the user in GCP.

isEnrolledIn2Sv

CustomAttribute8

Indicates whether the user is enrolled in two-step verification in GCP.

isMailboxSetup

CustomAttribute9

Indicates if the user's Google mailbox is created. This property is only applicable if the user has been assigned a Gmail license.

lastLoginTime

LastLogin

Timestamp of the user's last login in GCP.

orgUnitPath

OrgUnit

The full path of the parent organization associated with the user. If the parent organization is the top-level, it is represented as a forward slash (/).

primaryEmail

eMail

Maps to the user's primary email address in GCP.

recoveryEmail

CustomAttribute10

Contain a recovery email address for the user in GCP.

recoveryPhone

PhoneNumber

Recovery phone of the user. The phone number must be in the E.164 format, starting with the plus sign (+). Example: +16506661212.

['urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:User']['suspensionReason']

CustomAttribute11

Has the reason a user account is suspended either by the administrator or by Google at the time of suspension. The property is returned only if the suspended property is true.

['urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:User']['archived']

CustomAttribute12

Maps to attribute indicating whether the user account is archived in SCIM schema.

['urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:User']['removed']

CustomAttribute13

Attribute indicating whether the user account is removed.

['urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:User']['removedOn']

CustomAttribute14

Attribute indicating the date and time when the user account was removed.

 

AccountUsageType

There are three possible values - Personal (User Accounts), Guest, and Service.

['urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:User']['plain'].firstHomePhone

HomePhone

First home phone number mapped of possible several.

['urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:User']['plain'].firstMobilePhone

MobilePhone

Maps to the user's mobile phone number in GCP.

['urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:User']['plain'].firstBusinessPhone

PhonesOther

Attribute mapping to the first business phone number of the user.

['urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:User']['plain'].firstOrgDepartment

Department

Attribute representing the first organizational department of the user.

['urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:User']['plain'].firstOrgTitle

Title

Attribute representing the first organizational title of the user.

['urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:User']['suspended']

Suspended

Attribute indicating whether the user account is suspended.

Group Attribute Mappings

During the GCP and EmpowerID integration process, group information from GCP is synced with EmpowerID. This table outlines how corresponding GCP group attributes map to the appropriate EmpowerID account attributes.

GCP Attribute

EmpowerID Group Attribute

Description

GCP Attribute

EmpowerID Group Attribute

Description

['description']

Description

Mapped to an extended description to help users determine the purpose of a group. For example, you can include information about who should join the group, the types of messages to send to the group, links to FAQs about the group, or related groups.

['adminCreated']

CustomAttribute16

Indicates whether the group was created by an administrator.

['email']

CustomAttribute15

Mapping of the email address associated with the group.

['displayName']

Display Name

Maps to the display name of the group.

Service Account Attribute Mappings

The table outlines how service accounts from GCP map to corresponding attributes in EmpowerID.

GCP Attribute

EmpowerID Account Attribute

Description

GCP Attribute

EmpowerID Account Attribute

Description

displayName

DisplayName

Name of the service account as it appears in GCP.

['urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:Resource']['versionedResources'][?(@.version=='v1')].resource.email

CustomAttribute18

Maps to the Service Account Email.

description

Description

Service Account Description.